"Report Vulnerable Cipher Suites for HTTPS" VT not reporting in GSEv22.4

FairFight · August 23, 2022, 12:30pm

GVM versions

gsad: 22.04.0
gvmd: 22.4.0~dev1
openvas-scanner: 22.4.0
gvm-libs: 22.4.0

Environment

Operating system: Debian 11
Kernel: Linux 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64 GNU/Linux
Installation method / source: Builded from source

Name: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
OID: 1.3.6.1.4.1.25623.1.0.108031

For some reason, the above mentioned VT is not reporting any vulnerabilities anymore, when 3DES/DES ciphers is used.
An example is that the SSL/TLS: Report Supported Cipher Suites reports the following ciphers on SSLv3:

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA

I would have expected the SSL/TLS: Report Vulnerable Cipher Suites for HTTPS VT to be triggered as vulnerable, because of the highlighted ciphers (and quite a few others).
The example is the output from a scan of https://zero.webappsecurity.com/ which is very vulnerable.

Am I misunderstanding something or should’nt the mentioned VT have triggered?

I have tested using GSE v 22.4.0 - NVT feed 20220822T1012.
cfi has tested using GOS 21.04 and 22.04 - he could replicate the issue on GOS 22.04.1

jjnicola · August 24, 2022, 1:51pm

Hello @FairFight,
Did you check that the target is found alive? This can be find in the logs.
My first run I found 0 results, but I found that the host is doesn’t respond the ping (default alive test method).
After setting the target with “consider alive”, I was able to get results.

Although, while I was testing this issue, I found another issue which can be related. I prepared a patch for it. May be this helps
If you wanto/can, please try it and let me know if it works. At least, you will get some more results.

github.com/greenbone/openvas-scanner

Fix: determine SSL/TLS support on services

greenbone:main ← greenbone:fix-tls-main

opened 01:39PM - 24 Aug 22 UTC

jjnicola

+9 -8

**What**: Scanner failed to determine SSL/TLS support on services requiring a c…lient certificate. Jira: SC-659  **Why**: Now the variable trp is passed to the function to be set. **How**: `sudo openvas-nasl -X -B -d -i ./ -t zero.webappsecurity.com find_service.nasl --kb="Ports/tcp/443=1"` without the patch, I have seen like the transport key stores a random integer (trp not set/initiliazed) `lib misc-Message: 13:59:08.804: set key Transports/TCP/443 -> 109136` with the patch, the transport key is set with the right value: `lib misc-Message: 14:02:51.355: set key Transports/TCP/443 -> 9`  **Checklist**: - [ ] Tests - [x] PR merge commit message adjusted

jjnicola · August 25, 2022, 7:56am

Ok, I tested this again, but I build the scanner with -DCMAKE_BUILD_TYPE="Release" flag. Without the patch I have no alert result in the report. But with the patch I get the result again.

Thanks for reporting this @FairFight !

Best regards.